Hello @RatnadeepB.08293 (Customer)​  Thank you for posting on our Community page!

This is a common issue when integrating Okta with SAP Analytics Cloud (SAC) via SCIM. When basic user creation (POST) and user imports (GET) succeed, but Group Imports and Schema Discovery (Refresh Attribute List) fail, the root cause almost always points to OAuth permission scopes, missing integration toggles, or SAC tenant schema limitations.

Here is a step-by-step guide to resolving these issues:

1. Re-authenticate the API with "System Owner" Privileges

The OAuth token generated during the initial Okta setup dictates what Okta is allowed to read from your SAC tenant. If the admin who clicked "Authenticate with SAP Analytics Cloud" did not have the System Owner role—or if their permissions were later modified—Okta will be blocked from reading Groups (Teams/Roles in SAC) and Schemas.

• How to fix it: 1. Go to your Okta Admin Console -> Applications -> SAP Analytics Cloud. 2. Navigate to the Provisioning tab and select Integration on the left menu. 3. Click Edit and click Authenticate with SAP Analytics. 4. Ensure you log in and authorize the connection using an SAC account that explicitly holds the System Owner role. 5. Click Save.

2. Verify "Import Groups" is Explicitly Enabled

Okta will not import groups from SAP Analytics Cloud automatically; this feature must be toggled on within the API integration settings, not just the Provisioning settings.

• How to fix it:

1. In the Okta Admin Console, go to Applications -> SAP Analytics Cloud -> Provisioning -> Integration.
2. Click Edit.
3. Look for the Import Groups checkbox. Check it. (If it is already checked, uncheck it, save, click edit, check it again, and save to force a refresh).
4. Go to the Import tab and run a Full Import. Groups should now pull through.

3. "Refresh Attribute List" & Schema Limitations in SAC

If you are clicking "Refresh Attribute List" and nothing happens (or no new attributes appear), it is likely because SAP Analytics Cloud does not have any custom attributes exposed via its SCIM endpoint.

• Okta's "Refresh Attribute List" makes a call to SAC's GET /Schemas API endpoint.
• Unlike standard Active Directory or highly customizable apps, SAC has a very rigid user schema. If you haven't explicitly created supported custom user fields inside SAC that are exposed to their SCIM API, Okta will find nothing new to import. It will silently "fail" (meaning it refreshes, sees only the default attributes Okta already has, and adds nothing).
• To ensure you are doing it in the right place: 1. In Okta, go to Directory -> Profile Editor. 2. Find the SAP Analytics Cloud app and click Profile. 3. Click Add Attribute, and then click Refresh Attribute List. 4. If the list remains empty, it means SAC is not sending any custom extensions. You will only be able to map Okta attributes to the standard base SAC attributes.

4. Verify your App Purpose in SAP BTP / SAC

When you created the OAuth Client inside SAP Analytics Cloud (under System -> Administration -> App Integration), the documentation specifies you must set the Purpose to Interactive Usage.

• If you set it to API Access or Client Credentials, the authorization flows behave differently and can block Okta's background syncs for larger payloads like Schema Discovery and Group imports. Verify in SAC that your OAuth client is configured correctly.

Thank you for reaching out to our Community and have a great day!

--

Help others in the community by liking or hitting Select as Best if this response helped you.